Company claims hardwire connections are a security issue

Question

Someone to whom I am related is at a study camp for their desired profession. This person, let's call her Jane, is supposed to be studying rigorously for two months. The housing provided offers wireless internet connections, which are spotty and don't allow for fluid streaming of even low-quality video, or other useful tasks to studying. Being that Jane wants to study in her down-time and look up resources as a reference to the material, she needs to access these materials and suffer with a slow connection. There are no provided modems or other ways to connect via Ethernet, and the student is expected to have some form of wireless connection computer, presumably.

Now, I want Jane to have the best possible studying experience, and I understand that they might deem this experience "the best to study in," so I called and claimed that I was interested in attending the camp myself, but I only have a desktop computer with no wireless card, and I expect a wired connection. After a few hours, I received a response saying the following:

"We do not provide hard wire connections to our network because of viruses and stuff"

It was clear to me the information I was being relayed was second-hand, but acknowledging that I wouldn't be able to change anyone's mind about this policy, I come here to posit this question:

Exactly what security benefits could be gained by only offering a Wireless connection?

In this case, I'm assuming that the answer given to me was genuine and not just an excuse for them to not do extra work or anything of the sort.

Well, to use highly official terms, `Viruses and stuff` are very bad for computers. I honestly hope that wasn't IT who responded (: — Radvylf Programs, Aug 28 '18 at 23:05
That's not the stupidest thing I've ever heard someone say in IT (I'm old, there's a /lot/ to choose from) but it's well up there... — Shadur, Aug 29 '18 at 10:50
I've been in ho(s)tels where they told a similar story. They usually have a good reason but a terrible explanation. — Mast, Aug 29 '18 at 11:22
I am a little surprised that they chose that answer given that USB Wi-Fi Adapters cost about $10 or you could put one in your PC for about $10 as well. Their response is probably the culmination of things which they were able to remember their IT guys speak during training/orientation so it must have just been the most convenient off-the-cuff answer. — MonkeyZeus, Aug 29 '18 at 12:38
@Schwern yes they did, I had to stifle a laugh on call with them. — Erin B, Aug 29 '18 at 13:19
"I'm assuming that the answer given to me was genuine and not just an excuse for them to not do extra work or anything of the sort" - never `assume`, it makes an `ass` out of `U` and `me` :-) — Mawg says reinstate Monica, Aug 29 '18 at 13:57
How is the data connection on Jane's handphone? Could she set up a hotspot? — Mawg says reinstate Monica, Aug 29 '18 at 14:01
@Mawg I was making that assumption for the purposes of discussion, rather than to credit the company. I feel as though it would be easier to dismiss this question by just saying "oh they're just lazy" if that weren't given. — Erin B, Aug 29 '18 at 14:01
@Mawg sorry that 2nd comment came in right as I'd finished typing. Jane is on a limited data connection with her family, I assume she could buy more data, but it really seems to me like you shouldn't have to do that in any well-established town. — Erin B, Aug 29 '18 at 14:04
one might even expect the study camp to provide the required facilities, especially is the course must be paid for. — Mawg says reinstate Monica, Aug 29 '18 at 14:13
This might sound a bit rude, but I can see how the answer you got is 99% their fault and 1% your fault, actually. You basically posed an XY problem ( https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem ). You also assumed that you knew the solution, while it might not have been that easy. You even assumed that your e-mail was read by some technical person. Both of these assumptions are most likely wrong. — ChatterOne, Aug 30 '18 at 07:20
A bit offtopic, but is there a reason to assume that she would have any more bandwidth even if she would connect via ethernet? — FINDarkside, Aug 30 '18 at 11:50
@FINDarkside At the least, it's usually more stable. Wi-Fi has a lot of packet loss to contend with and when 20 people swamp a single access point then Ethernet will simply feel faster because of its reliability. The access points could also be hobbled to provide a certain speed limit per connection which also takes processing power to regulate. — MonkeyZeus, Aug 30 '18 at 15:11
As a solution to your actual problem (connecting without wireless interface in your laptop) check this aswer about Android Tethering: https://superuser.com/questions/881932/using-a-smartphone-as-a-wireless-router — Bernat, Aug 31 '18 at 08:09
Maybe they wanted to say "Wired connections are reserved for trusted/internal users because they are connected to the internal network and your user does not meet that status". Which could be reworded as "We dont want your user potential viruses in our internal network" — bradbury9, Sep 03 '18 at 12:29

gowenfawr · Accepted Answer · 2018-08-28T19:03:17.317

201

Warning: Conjecture, because none of us know their actual setup.

It is very likely that the organization has their own network, which is hard-wired, as well as a guest network, which is wireless-only. The two are separate networks. This is a common layout because laying wire to desks is expensive, but worth it, for your own employees; broadcasting wireless is cheap, and worth every penny of it, for your guests.

When you asked about a hard-wired connection, they are answering the question of which network you'd be on rather than how you connect to the network. And as the two are intertwined in their minds ("hard-wire is our network, wireless is guest network") they are answering very simply.

From their point of view, they don't want non-organization machines on their network, only on the guest network - because of viruses and stuff. We can all understand that we wouldn't want random visitors on our internal networks, right? So that would be a context in which their answer makes sense.

I would suggest explaining your concern to them and seeing if they can come up with a solution, instead of asking them about the solution you would expect to work. It may be that they only expect guests to need enough connectivity for email and light web browsing. If you explain that Jane needs more bandwidth for her study needs, and can convince them that it's a reasonable request, they're likely to find some way to help - even if it's just moving Jane to a room closer to the Wireless AP.

edited Aug 28 '18 at 19:03

answered Aug 28 '18 at 18:37

gowenfawr

71,975
17
161
198

2

So, in this case, they would functionally be treating their customers (students) as less important than whatever they are using their primary network for? Just trying to determine if it is something worth fighting for. – Erin B Aug 28 '18 at 18:42
20

I once managed to take down the Moscone Center (convention center in San Francisco) about 10 years ago because they didn't isolate their office network from the hard drops they'd set up for people. I asked why the hell they did that, and their excuse was that when Cisco and others were there, they needed full access. To the outside world, maybe ... but you secure your office network. (I was sending DHCP, and their machines were getting bad IP addresses) – Joe Aug 29 '18 at 17:04
5

@ErinB: More to the point, the ability of the employees to access all the equipment on the internal network is infinitely more important than the customers' needs to do likewise, since the latter is zero. – supercat Aug 29 '18 at 18:25
1

This is where implementing network segregation via subnetting, a DMZ, and an ACL comes into play. Employing 802.1x authentication on the trusted network would also be helpful. – Davidw Aug 30 '18 at 06:44
13

@ErinB being an important customer wouldn't mean being handed a key to every locked room or safe that employees routinely are given access to, no? – rackandboneman Aug 30 '18 at 07:18
4

This is speculation ... but plausible speculation. – Jay Aug 30 '18 at 16:46
3

@Joe Very strange. I was IT for a convention center management organization and the network for the organization (which was located in the convention center) was completely separate from the networking available on the show floors - even with separate internet connections. On top of that, the only outside organization that got unfettered access to whatever they wanted was the US Secret Service. – Todd Wilcox Aug 31 '18 at 16:49
I have seen this implementation... where there was no additional security on the wired, so it proved very interesting when some students plugged in themselves! – Wilf Sep 02 '18 at 19:46

score 28 · Answer 2 · answered Aug 28 '18 at 18:39

28

It really depends on how they have set up their network, so we can only speculate. But I can provide a similar anecdote.

My local library has a wifi that you can log into using your library card. Several rooms have ethernet ports in the wall, but when I asked if I could plug in, I was told that the ethernet goes straight to the back-end network with access to the library's databases, printers, etc. Not intended for customers.

It's common practice to keep separate networks for "trusted" machines that are using corporate-supplied anti-virus, etc, and a separate network for the public to use. I guess wifi vs ethernet is as good a way as any to split that.

answered Aug 28 '18 at 18:39

Mike Ounsworth

57,707
21
150
207

35

"[...] I was told that the ethernet goes straight to the back-end network with access to the library's databases, printers, etc. Not intended for customers." <- ...That's... disconcerting; I hope they whitelist MACs? – redyoshi49q Aug 29 '18 at 03:47
12

@redyoshi49q Doubt it. I assume whoever designed the networks assumed there would only be ethernet drops in the offices, not in public areas. – Mike Ounsworth Aug 29 '18 at 04:12
2

@redyoshi49q Hopefully those ports are not connected on the patch panel. – Andrew Morton Aug 29 '18 at 12:54
12

Out of curiosity -- did you ever try to plug into those spots in the rooms? They may only be "meant" for staff, but I'm intensely curious if there's any auth or security aside from "does or does not have Ethernet cable".... – RoboBear Aug 29 '18 at 20:15
16

@RoboBear Yup, internet was _waaayy_ faster than the wifi. Then a librarian told me not to. I guess I shouldn't tell you where I live ... – Mike Ounsworth Aug 29 '18 at 21:16
@AndrewMorton Or disabled on the switch. – cpast Sep 01 '18 at 00:22

score 11 · Answer 3 · edited Aug 29 '18 at 17:54

11

I'm going to come at this from a network-engineering point-of-view (full disclosure: CCNA / N+, I work on enterprise-level network systems which include complex topics that we'll discuss here, as well as having done network-engineering for a private university).

Every network is different, and every network-device is different, but there are some commonalities:

Many enterprise-level devices (switches) offer some sort of "VLAN" ("Virtual-LAN"), for those unfamiliar, think of it as a way of saying that "This switchport is in LAN X, whereas this other switchport is in LAN Y.", this allows us to separate devices logically, so that you and I can be plugged into the same switch, but not even see each other through MAC targeting;
Many enterprise-level devices (switches) offer SNMP targeting / triggering / "trap"ping to switch ports between different VLAN's based on things like MAC-addresses and the like;

Here's the thing about Ethernet / RJ-45 / 100M/1000M connections: we typically use lower-end devices for this, because we often "just" need a basic connection back to the router. Often they're less advanced, and don't offer good-quality features of the above. (You'll typically find "VLAN" segregation on just about every switch now-a-days, but the SNMP triggering and targeting is substantially more difficult to find for a good price-point.)

When I worked for the University we used a software that would look at a switchport and the MAC-address (a unique hardware-identifier for your Ethernet port) which would decide what "VLAN" you were on: Guest, Staff, Faculty, Student, Lab, etc. This was extraordinarily expensive, both in licensing and implementation. While there are good, free tools out there to do this, it's still difficult to setup, and may not be worth it depending on what the goals of the company are. (This software is notoriously unreliable.) Another problem is that, with sufficient work, a MAC Address can be spoofed, which makes it about as secure as using someone's full name.

So, we have to make a decision, support hard-wired connections that may be unstable, insecure, and leak access to privileged resources, or not?

No network is perfectly secure, even if we have all the resources on the "protected" network locked down, there's still a risk of connection a foreign device to the network. Therefore, we often make decisions like "any BYOD connects to this wireless network." We can turn the wireless network into a "Guest"/"Secured" network, via different SSID's and authentication mechanisms. This means we can have both the guests and employees connected to one wireless access point. Infrastructure cost is lower, and we get the same security benefit.

Like this other answers, this is conjecture or speculation, but from my (professional) experience this would be the likely explanation. The infrastructure cost to support hard-wired connections was too high to be justified. (And since almost all devices people use have wireless capability these days, it's tough to justify.) Considering even Apple is dropping Ethernet ports off the MacBook Pro by default, we get into a "is it even worth it?" situation.

TL;DR;: Ethernet is too expensive to do across the board and secure properly, whereas Wireless is becoming much more commonplace, secure and easier to distribute access for.

edited Aug 29 '18 at 17:54

user

7,670
2
30
54

answered Aug 29 '18 at 14:33

Der Kommissar

490
1
4
12

I think I'd be okay with this approach for a company, so long as the wi-fi speeds are acceptable, (i.e. streaming video) and an up-front acknowledgement that this is being done in the first place. I think I have the most trouble with this solution because it seems deceptive to lure people into "a place of study" and then tell them that their learning tools are limited. – Erin B Aug 29 '18 at 14:44
2

@ErinB Well, you have to ask yourself: how do you know the Wifi speeds _are_ poor? If you're asking about streaming videos and such, how many _other_ people on the Wifi do you think are streaming videos? Typically, in these environments, we use multi-channel roaming access-points, which means that we can load balance them, but it _just may be_ that the Wifi/internet connections are being taxed by the number of users. (All speculation / hypothetical, but offers another explanation.) – Der Kommissar Aug 29 '18 at 14:46
1

And it makes sense that this would be the case, but then, wouldn't you expect this as any IT department worth its salt? If your customers are unable to do the one thing they are attending your company for, that seems like a largely negative impact to business. Providing accommodations (like say, Ethernet connections) would be a suitable measure in this instance. – Erin B Aug 29 '18 at 14:51
2

@ErinB Aha, you've gotten into the "what trade-offs do we make". I've been on the Business side of it as well (I'm typically the bridge between Network / Software Engineering and business), and we always get a "well nevermind, we don't want to do that because ___", where '___' is almost always $$$. Running Ethernet is _expensive_, securing it is _expensive_, do we value the benefits from those expenses? Sure, but is there enough value _in_ it? More Ethernet = more hardware, more maintenance, a lifetime of it. – Der Kommissar Aug 29 '18 at 14:53
Fair enough, I can only hope that I've made them aware of these business assumptions by calling in and asking about it specifically, then! – Erin B Aug 29 '18 at 14:58
2

@ErinB I just realized that comment formatted weird, replace `because ", where '' is` with `because ", where is`. – Der Kommissar Aug 29 '18 at 14:59
The university that I used to work at got to the point where all incoming students had to bring their computers to be scanned for viruses before their machine was allowed on the dorm networks (MAC-based filtering so you couldn't go anywhere 'til you did it) – Joe Aug 29 '18 at 17:08
@Joe Ours was a software you installed that regularly scanned your PC for valid antivirus. The only thing you could do on our network without the software was install the software. – Der Kommissar Aug 29 '18 at 18:26
Known in Microsoft circles as Network Access Protection, you set a network access policy on the server that requires clients to meet that policy or be restricted in what the client can do on that network, until the client complies with the policy. The policy can even be set to do auto remediation on the client to force compliance. – Davidw Aug 30 '18 at 06:58
@Davidw That still doesn't mitigate the primary risk, which is guest device access to the same LAN as protected devices. That might work fine for me accessing a file-share, but what about accessing the employee computer in the room next door? That's where SNMP trapping comes into play, but is sadly unreliable, expensive, and difficult to maintain. – Der Kommissar Aug 30 '18 at 14:04
That was more of a general comment, and less intended to be a solution for the question. As an aside, NAP has been depreciated/retired, Windows 10 no longer supports it. – Davidw Aug 31 '18 at 05:14
1

I'm no CCNE, but I'd have imagined that all the ports in the dorm rooms would be connected to a switch which was on the guest VLAN. Why would guest bedrooms need anything else? Therefore, no need of VLAN switching or even MAC registrations - you plug in there, you're in the guest network (no exceptions). In the case where there's a CCTV camera or something, then that specific port could be assigned a VLAN (or put onto the VLAN-switching technology). However, as noted, wiring up the rooms is more expensive than throwing in a wireless AP. – Ralph Bolton Aug 31 '18 at 10:56
@RalphBolton OP indicated that there were no Ethernet ports in dorms or study areas, and was asking why that might be the case. You're also still missing that running all that Ethernet, securing it, and maintaining it is still expensive, and a cost/value trade-off. – Der Kommissar Aug 31 '18 at 11:16
I'm surprised that you only had an "extraordinarily expensive and notoriously unreliable" option for what essentially is a RADIUS server and switches with 802.1X... – user1686 Sep 01 '18 at 09:27

score 9 · Answer 4 · answered Aug 29 '18 at 14:07

9

Looks like this is solved, but I wanted to inject discussion of "Wireless AP Isolation" which is a one-button click on most vendors' small-to-mid scale deployments such as small schools and hotels.

I could easily see a "summer camp" relying on AP isolation, rather than hardware network segmentation to keep out "viruses and stuff."

What I don't know is whether this is actually a good defense, or whether this is easily broken out of.

answered Aug 29 '18 at 14:07

dnavinci

91
1

Meraki has network isolation on by default. It's actually quite nice because it protects users from each other. It's nice until you try to create a print share or some other shared resource then they hit you up for an upgrade. – jorfus Aug 30 '18 at 00:25

score 0 · Answer 5 · answered Aug 30 '18 at 16:54

I suspect that the REAL answer is not any security concern about "viruses and stuff", but rather that it is too difficult and expensive to run ethernet cable to all the campers. Setting up a wifi router is pretty cheap and simple: you run one cable from the modem to the router, put it someplace where it gives a good signal throughout the desired area, and you're done. Stringing ethernet cable is a lot of work: you have to run a cable to every workstation. Depending on how pretty you want the results to be that can mean tearing out walls to string the cable.

Wifi has the inherent security hole that anyone who can get within the signal range with a computer could conceivably hack into your network. I pick up signals from a dozen of my neighbors whenever I turn on my computer. With a wired-only network, they'd have to break into your building. I can't think of any reason why ethernet would be LESS secure than wifi, though I confess I am not a security expert.

Several others have mentioned that they might have a wired network with greater access than the wifi network. Possible. The issue there is not really wire vs wifi, but that one network "coincidentally" has greater access than another, but it's certainly possible that that's what someone was thinking of when they answered the question.

score 0 · Answer 6 · edited Sep 02 '18 at 12:26

If plugging in the physical cable is a bypass for the wireless connection password as other posters mentioned, then have a physical cable connect to a wireless router in a locked box just for that location. This way you have both the reliability and extensibility of a wired connection but the security (pending items below) of no-physical-access. You can thus also easily serve many other users within that more remote area.

Of course wired connections have vulnerabilities such as physical (cable) interception and vulnerable routers/ hubs/ etc.

score -2 · Answer 7 · edited Sep 05 '18 at 23:23

My immediate thought when I read the OP was PHYSICAL ACCESS. (The OP was looking for possible scenarios where copper (UTP cable) could be more of a security risk than WiFi...)

The first thing (well, one of the first things) you learn about IT security is that physical network devices need to be placed where they cannot be accessed by "just anyone."

The reason for this, generally, is because there are nasty things you can do to a device (like bring down the entire network) if you can "physically touch it." Things you cannot do over a remote connection.

Example: On a brand new Cisco device, you must physically connect to the device via a "console cable" to begin the basic configuration process. Basics like setting up remote access, setting passwords, etc. You can also just as easily wipe out the entire IOS image, delete the running-config, etc.

So, to reduce certain security risks, you put your devices behind locked doors and grant access to the devices only to those who need it.

So coming back to the OP's question, you could say that you'd need physical access to a device in order to plug in a patch cable, whereas you wouldn't need physical access to make a wireless connection.

In that most basic scenario, wireless connectivity would pose less of a security risk.

And yeah, yeah, yeah..., I know that most physical connections are made via wall jack and therefore you don't need direct access to the network device itself, but I'm providing a SIMPLE scenario which fulfills the OP's original question.

Company claims hardwire connections are a security issue

Exactly what security benefits could be gained by only offering a Wireless connection?

7 Answers7